On May 25 2018, the General Data Protection Regulation (GDPR) becomes UK law. This is the biggest change to our data protection laws in a generation. Don’t ignore it.
The European Union (in perhaps one of its last hurrahs before we exit stage left), is making business tighten up on systems and procedures. It has decreed that all European businesses need to implement new EU General Data Protection Regulations (GDPR), which will supersede the Data Protection Act (DPA) of 1998. And just because we’re leaving the EU in 2019, we can’t avoid meeting this new legislation: we are legally bound to comply. If you don’t it could be expensive – a company breach could cost up to 4% of annual turnover, or €20 million, whichever is the greater. This is a board room issue.
On balance, this change is a good thing. The legislation takes account of all the news ways that our data is held, so we should all feel safer when it’s applied. Consumers will now have stronger rights to be informed about how organisations are using their personal data.
Who does the GDPR apply to?
Anyone who controls or processes personal information, which is broadly the same as under the existing Data Protection Act. That means anyone responsible for personal data records, and also anyone processing it on their behalf. And you have to have a reason to be in possession of personal data, for example to be able to comply with a legal obligation, or to fulfill a company’s obligations.
What information does the GDPR apply to?
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and includes information such as an online identifier, such as an IP address, can be personal data.
For most organisations which keep HR records, customer lists or contact details etc, the change to the definition should make little practical difference. Businesses can assume that if information held falls within the scope of the DPA, will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised (ie replacing some database fields with artificial identifiers) can fall within the scope of the GDPR. To make it more complicated, pseudonymised is not the same as anonymised data, which cannot be restored to its original state.
Sensitive personal data
The GDPR refers to sensitive personal data as ‘special categories of personal data’. These categories are broadly the same as those in the DPA, but there are some minor changes.
For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
Data breaches on the rise
The Information Commissioner’s Office (ICO), which oversees UK organisations’ compliance with the regulations, reports that there were 2168 breaches last year. 40% in the healthcare sector, followed by local government and general business with 10%. Media, marketing, utilities, religious and political organisations had the best record.
Data can leak out of an organisation simply by clicking ‘send’ or leaving a laptop unattended.
And with the focus often on digital communication, don’t overlook paper records. 42% of breaches in 2016 were caused by the improper handling or disposal of paperwork. Most incidents were data posted or faxed to the incorrect recipient, or the loss or theft of paperwork. Other breaches were due to errors such as data being left in an insecure location, insecure disposal and failing to redact sensitive data before sharing a document.
No fewer than 76 data breaches occurred where the sender failed to use BCC when sending email to multiple recipients, resulting in the full list being disclosed. And these are only the incidents that the ICO is aware of.
Other computer-related problems arose from phishing (obtaining data online through deception), exfiltration (unauthorised data access) and misconfiguration of cyber security (such as publishing data online by mistake, or leaving default passwords in place).
Grundon Waste Management offers advice on best practice for safeguarding confidential printed data
Store paper documents securely
Few offices are truly paperless. Some people like a physical record they can hang on to. And a paper record might be nothing more than a phone number scribbled down on a scrap of paper.
Even a scrappy looking piece of paper is data in the eyes of EU regulators. Protect it, or shred it.
Clear desk policy
Encourage a clean desk policy. Don’t allow staff to leave any document on their desk overnight. That includes data printouts, and innocuous-looking handwritten notebook pages and post-it notes.
Dispose of documents when you’ve finished with them
In-office shredders are great, but larger volumes of paper need a commercial shredding provider, such as Shred Station. Oxfordshire-based Grundon can organise collection of confidential waste, shred it securely and provide documentation confirming what they’ve done.
Even paper that’s going to be destroyed must be kept safe. Store in a lockable container.
Knowledge is power. Knowing how to protect your company’s valuable assets is essential. Putting that knowledge into someone else’s hands could not only embarrass your business, but lose it a lot of money.